Null-dereference READ in blink::BaselineContext::FindCompatibleSharedGroup |
||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5602858226155520 Fuzzer: ifratric-browserfuzzer-v3 Job Type: linux_ubsan_vptr_chrome Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x00000000000c Crash State: blink::BaselineContext::FindCompatibleSharedGroup blink::GridBaselineAlignment::GetBaselineGroupForChild blink::GridBaselineAlignment::BaselineOffsetForChild Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_chrome&range=567450:567451 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5602858226155520 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Jun 16 2018
Automatically applying components based on crash stacktrace and information from OWNERS files. If this is incorrect, please apply the Test-Predator-Wrong-Components label.
,
Jun 16 2018
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/07d4cc08bc84677108d949e0b356f19e6c81cbc0 ([css-grid] Layout items to figure out the need of synthesized baseline). If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
,
Jun 18 2018
Bug confirmed. I'm working on this now.
,
Jun 20 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/b2b9dee1241b7d7fbc7376a21f450a4ee6408247 commit b2b9dee1241b7d7fbc7376a21f450a4ee6408247 Author: Javier Fernandez <jfernandez@igalia.com> Date: Wed Jun 20 10:29:31 2018 [css-grid] Move the pre-layout logic out of the PlaceItemsOnGrid func The Grid Layout code needs to run a pre-layout for some specific case, which include orthogonal and baseline aligned grid items. We decided to execute this logic as part of the PlaceItemsOnGrid function, aiming for a better performance and simpler and more elegant code. However, the PlaceItemsOnGrid function is not executed on re-layouts if no item has changed its position. Hence, there may be cases where we need to repeat the layout of the grid and some of the items involved in baseline alignment items are marked for layout as well. In those cases, like the one described in the bug this CL tries to fix, the grid item is assumed as not participating in baseline alignment, but we resolve that it actually participates during the layout phase. This CL tries to solve the issue my moving the pre-layout logic out of the PlaceItemOnGrid function, so we ensure both orthogonal and baseline alignment are laid out before running the intrinsic size and layout operations. Bug: 853427 Change-Id: I31d0357e647cccf728376a4abc12e8ea19983822 Reviewed-on: https://chromium-review.googlesource.com/1104425 Commit-Queue: Javier Fernandez <jfernandez@igalia.com> Reviewed-by: Manuel Rego Casasnovas <rego@igalia.com> Cr-Commit-Position: refs/heads/master@{#568783} [add] https://crrev.com/b2b9dee1241b7d7fbc7376a21f450a4ee6408247/third_party/WebKit/LayoutTests/fast/css-grid-layout/grid-self-baseline-and-item-relayout-should-not-crash-expected.txt [add] https://crrev.com/b2b9dee1241b7d7fbc7376a21f450a4ee6408247/third_party/WebKit/LayoutTests/fast/css-grid-layout/grid-self-baseline-and-item-relayout-should-not-crash.html [modify] https://crrev.com/b2b9dee1241b7d7fbc7376a21f450a4ee6408247/third_party/blink/renderer/core/layout/grid.cc [modify] https://crrev.com/b2b9dee1241b7d7fbc7376a21f450a4ee6408247/third_party/blink/renderer/core/layout/grid.h [modify] https://crrev.com/b2b9dee1241b7d7fbc7376a21f450a4ee6408247/third_party/blink/renderer/core/layout/layout_grid.cc [modify] https://crrev.com/b2b9dee1241b7d7fbc7376a21f450a4ee6408247/third_party/blink/renderer/core/layout/layout_grid.h
,
Jun 20 2018
This bug should be FIXED now.
,
Jun 21 2018
ClusterFuzz has detected this issue as fixed in range 568782:568783. Detailed report: https://clusterfuzz.com/testcase?key=5602858226155520 Fuzzer: ifratric-browserfuzzer-v3 Job Type: linux_ubsan_vptr_chrome Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x00000000000c Crash State: blink::BaselineContext::FindCompatibleSharedGroup blink::GridBaselineAlignment::GetBaselineGroupForChild blink::GridBaselineAlignment::BaselineOffsetForChild Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_chrome&range=567450:567451 Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_chrome&range=568782:568783 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5602858226155520 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 21 2018
ClusterFuzz testcase 5602858226155520 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by ClusterFuzz
, Jun 16 2018